Too much looseness around this idea has been detected within the ranks of industry "experts". What exactly does "risk-based" mean? A frivolous or loose treatment of this idea must not be known among no-nonsense ninjas.
Perhaps this differentiation exercise could help us with the proper alignment of our perspectives when we talk about a risk-based approaches in connection with anything. As denoted, risk-based has 2 parts that must be properly understood: Part 1 -the risk and part 2 - the risk as the basis for determining the matching action. First, we must ask: "Risk to whom?"
👉 Whatever poses a risk to the end-users or consumers of products or services offered by a business automatically poses a risk to that business.
👉However, what poses a risk to a business does not automatically pose a risk to the end-users of the products or services offered by that business.
Once the subject of the risk consideration is identified (the business or the consumer, we must establish the correctness of the risk identification and the "richter scale" (1. the depth and scope of risk determination process, as well as 2. the scope, intensity, and persistence of matching action).
This is not the stuff for third party schemes or regulatory agency inspections. It falls to the parties with the primary responsibility. There needs to be the pre-determined efficacy of implemented measures with ongoing monitoring of their effectiveness and evaluation of efficiency.